Hydra password attack on root not working

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Hydra password attack on root not working

Post by BrandonHeat on Fri Jun 20, 2014 12:38 pm
([msg=81567]see Hydra password attack on root not working[/msg])

Me and a few collegues at work recently got our hands on an old machine , which we used to setup debian linux on and run a discourse(discussion platform) server. The guy who installed the OS and the server then gave the rest of us the lowest possible trust level at which you can do almost nothing and challenged us to elevate our accounts to admins.

The first thing I did was compile a list of all the passwords we used at work and use this for a ssh dictionary attack against his account with hydra, which worked. Then I ran into a bit of a problem. His account wasn't enough to do what I needed, so I tried running the same dictionary attack against the root account. When this didn't work, I tried an actual complete wordlist which took a few days to run, and still no success.

In the end I was able to guess the password and complete his challenge just because I knew the guy well enough and could predict what he would think of. What still bugs me, trough, is that when I tried to run hydra with a wordlist consisting of the the correct password I had found and a few others, it still failed. I also noticed that you couldn't ssh into the machine as root@ipadress with the correct password, either, almost as if the root account is disabled. When you login normally, however, and the use su with this password, it works, and your user is shown as root@machine:, so it is indeed the root account.

My question is this: How would run a brute force / dictionary attack against the root account on a machine such as this, which doesn't allow direct login as root?
BrandonHeat
New User
New User
 
Posts: 7
Joined: Tue Mar 01, 2011 2:44 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by cyberdrain on Sat Jun 21, 2014 7:33 pm
([msg=81589]see Re: Hydra password attack on root not working[/msg])

Hmm, just some ideas to get passwords. Run the command locally (stupid, but might work). Escalate privileges using a vulnerable daemon/program and dump the hashes. Dump contents of the shadow file using a running service (think Heartbleed and similar). Power down the machine, copy the file in which the passwords are stored and brute force that. Use some other account that you think might have the same password. Sniff the network in hopes of grabbing the hash. Brute force a user with administrator privileges first and use those to get to the hash of root. Use a hardware keylogger. Though not exactly an answer to you question, this is also fun: grab the hash some other way, pass the hash (only works when using LM or NTLM) and use the gained privileges.

Note: I haven't tested any of those, I have little knowledge of Linux privilege escalation.
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1502
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by BrandonHeat on Sun Jun 22, 2014 6:13 am
([msg=81594]see Re: Hydra password attack on root not working[/msg])

Thanks, cyberdrain! This'll give me some ideas to play with next week.
BrandonHeat
New User
New User
 
Posts: 7
Joined: Tue Mar 01, 2011 2:44 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by cyberdrain on Sun Jun 22, 2014 7:23 am
([msg=81597]see Re: Hydra password attack on root not working[/msg])

Let me know what you did and how it went, I'm interested. :D
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1502
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by limdis on Sun Jun 22, 2014 11:30 am
([msg=81603]see Re: Hydra password attack on root not working[/msg])

The one account that you do have access to that "wasn't enough", login with it and try and locate the sshd_config file. It's possible that account has enough rights to edit that file. If it does, re-enable ssh root logins. Go back to hydra.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1432
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by cyberdrain on Sun Jun 22, 2014 4:58 pm
([msg=81611]see Re: Hydra password attack on root not working[/msg])

That's a good one, I should remember to fix that on my box :o
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1502
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by BrandonHeat on Sun Jun 29, 2014 3:01 pm
([msg=81881]see Re: Hydra password attack on root not working[/msg])

Editing the sshd_config file worked like a charm :) Very nice trick, exactly what I was looking for!
BrandonHeat
New User
New User
 
Posts: 7
Joined: Tue Mar 01, 2011 2:44 pm
Blog: View Blog (0)


Re: Hydra password attack on root not working

Post by cyberdrain on Sun Jun 29, 2014 3:13 pm
([msg=81885]see Re: Hydra password attack on root not working[/msg])

Limdis +1 :D
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1502
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests